1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Commit graph

13 commits

Author SHA1 Message Date
Arnaud Rebillout
6349b32e1b daemon/oci_linux_test: Skip privileged tests when non-root
These tests fail when run by a non-root user

  === RUN   TestTmpfsDevShmNoDupMount
      oci_linux_test.go:29: assertion failed: error is not nil: mkdir /var/lib/docker: permission denied
  --- FAIL: TestTmpfsDevShmNoDupMount (0.00s)
  === RUN   TestIpcPrivateVsReadonly
      oci_linux_test.go:29: assertion failed: error is not nil: mkdir /var/lib/docker: permission denied
  --- FAIL: TestIpcPrivateVsReadonly (0.00s)
  === RUN   TestSysctlOverride
      oci_linux_test.go:29: assertion failed: error is not nil: mkdir /var/lib/docker: permission denied
  --- FAIL: TestSysctlOverride (0.00s)
  === RUN   TestSysctlOverrideHost
      oci_linux_test.go:29: assertion failed: error is not nil: mkdir /var/lib/docker: permission denied
  --- FAIL: TestSysctlOverrideHost (0.00s)

Signed-off-by: Arnaud Rebillout <elboulangero@gmail.com>
2020-12-15 09:47:44 +07:00
Justin Cormack
dae652e2e5
Add default sysctls to allow ping sockets and privileged ports with no capabilities
Currently default capability CAP_NET_RAW allows users to open ICMP echo
sockets, and CAP_NET_BIND_SERVICE allows binding to ports under 1024.
Both of these are safe operations, and Linux now provides ways that
these can be set, per container, to be allowed without any capabilties
for non root users. Enable these by default. Users can revert to the
previous behaviour by overriding the sysctl values explicitly.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2020-06-04 18:11:08 +01:00
Sebastiaan van Stijn
eeef12f469
daemon: address some minor linting issues and nits
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-04-14 17:22:17 +02:00
Sebastiaan van Stijn
9f0b3f5609
bump gotest.tools v3.0.1 for compatibility with Go 1.14
full diff: https://github.com/gotestyourself/gotest.tools/compare/v2.3.0...v3.0.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-02-11 00:06:42 +01:00
Aleksa Sarai
f38ac72bca
oci: add integration tests for kernel.domainname configuration
This also includes a few refactors of oci_linux_test.go.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2018-11-30 19:44:50 +11:00
Lihua Tang
8df0b2de54 Fix typos in comment
Signed-off-by: Lihua Tang <lhtang@alauda.io>
2018-09-07 13:17:42 +08:00
Salahuddin Khan
763d839261 Add ADD/COPY --chown flag support to Windows
This implements chown support on Windows. Built-in accounts as well
as accounts included in the SAM database of the container are supported.

NOTE: IDPair is now named Identity and IDMappings is now named
IdentityMapping.

The following are valid examples:
ADD --chown=Guest . <some directory>
COPY --chown=Administrator . <some directory>
COPY --chown=Guests . <some directory>
COPY --chown=ContainerUser . <some directory>

On Windows an owner is only granted the permission to read the security
descriptor and read/write the discretionary access control list. This
fix also grants read/write and execute permissions to the owner.

Signed-off-by: Salahuddin Khan <salah@docker.com>
2018-08-13 21:59:11 -07:00
Vincent Demeester
3845728524
Update tests to use gotest.tools 👼
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2018-06-13 09:04:30 +02:00
Kir Kolyshkin
d8fd6137a1 daemon.getSourceMount(): fix for / mount point
A recent optimization in getSourceMount() made it return an error
in case when the found mount point is "/". This prevented bind-mounted
volumes from working in such cases.

A (rather trivial but adeqate) unit test case is added.

Fixes: 871c957242 ("getSourceMount(): simplify")
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2018-05-10 12:53:37 -07:00
Daniel Nephin
6be0f70983 Automated migration using
gty-migrate-from-testify --ignore-build-tags

Signed-off-by: Daniel Nephin <dnephin@docker.com>
2018-03-16 11:03:43 -04:00
Kir Kolyshkin
33dd562e3a daemon/oci_linux_test: add TestIpcPrivateVsReadonly
The test case checks that in case of IpcMode: private and
ReadonlyRootfs: true (as in "docker run --ipc private --read-only")
the resulting /dev/shm mount is NOT made read-only.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2018-03-08 14:04:03 -08:00
Daniel Nephin
4f0d95fa6e Add canonical import comment
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2018-02-05 16:51:57 -05:00
Kir Kolyshkin
1861abdc4a Fix "duplicate mount point" when --tmpfs /dev/shm is used
This is a fix to the following issue:

$ docker run --tmpfs /dev/shm busybox sh
docker: Error response from daemon: linux mounts: Duplicate mount point '/dev/shm'.

In current code (daemon.createSpec()), tmpfs mount from --tmpfs is added
to list of mounts (`ms`), when the mount from IpcMounts() is added.
While IpcMounts() is checking for existing mounts first, it does that
by using container.HasMountFor() function which only checks container.Mounts
but not container.Tmpfs.

Ultimately, the solution is to get rid of container.Tmpfs (moving its
data to container.Mounts). Current workaround is to add checking
of container.Tmpfs into container.HasMountFor().

A unit test case is included.

Unfortunately we can't call daemon.createSpec() from a unit test,
as the code relies a lot on various daemon structures to be initialized
properly, and it is hard to achieve. Therefore, we minimally mimick
the code flow of daemon.createSpec() -- barely enough to reproduce
the issue.

https://github.com/moby/moby/issues/35455

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2017-11-20 18:48:27 -08:00